If you add a complexity requirement, make it for remote connections only. Anthony
On Tuesday, July 12, 2011 6:32:48 PM UTC-4, Massimo Di Pierro wrote: > we can make a delay default to 1 second and double it every failed > attempt. > we should add complexity. I would take a patch or add an issue in > google code. > > On Jul 12, 8:01 am, cjrh <caleb.h...@gmail.com> wrote: > > I like the timeout/delay idea for a failed password, and I very much like > > > the IP block after a number of failed attempts, but I am not too fond of > a > > complexity requirement. During development on my local machine (bound to > > > localhost), my standard admin password is "a". I would have to have to > deal > > with a complexity checker during development; and if we then say it will > be > > enabled only for production but not dev, then we need more code and > > error-handling to manage the distinction, and it all becomes a lot of > work. > > I think the safeguards that are currently in web2py are quite > sufficient, > > and we can improve it a little bit more by penalizing brute force on the > > password, as pbreit pointed out is currently vulnerable.